HIPAA, HITECH and Beyond

Covered entities which experienced a HIPAA breach in calendar year 2016 are required to report all such breaches affecting fewer than 500 individuals to OCR by Wednesday, March 1, 2017. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those affecting 500 or more individuals — within 60 days of discovering the breach.

This is also an appropriate time to review and update breach notification policies and procedures to make sure that covered entities have in place the appropriate mechanisms to notify OCR timely and appropriately.

Under the Privacy Rule, a covered entity may “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, [which is] directly relevant to the involvement of that person in the patient’s care or payment for health care.” 45 C.F.R. § 164.510(b). OCR reported that it had recently became aware that many healthcare professionals were unsure how this provision applied to same-sex couples. In its guidance, OCR clarified that the list of potential recipients of PHI under 45 C.F.R. §164.510(b) is in no way impacted by the sex or gender-identity of either the patient or the potential recipient. Furthermore, clarified that when making disclosures under this exception, a covered entity should obtain verbal permission from the patient when possible, or otherwise be able to reasonably determine that the patient does not object, prior to disclosing the patient’s PHI. If the patient is incapacitated or otherwise unavailable, the covered entity may share the patient’s PHI when the covered entity believes that doing so would be in the patient’s best interest.

In addition, OCR clarified the circumstances in which a covered entity must disclose PHI to someone involved in a patient’s care. In some cases, a spouse, partner, or other person involved in a patient’s care is considered the patient’s personal representative and as a result, would have the authority to exercise the patient’s rights on the patient’s behalf, such as the right to access medical and other health records as provided under the Privacy Rule. A covered entity must treat all personal representatives as the individual for purposes of the Privacy Rule. Therefore, a covered entity cannot deny a personal representative the rights afforded to personal representatives under the Privacy Rule for any reason, including because of their sex or gender identity. According to an OCR FAQ,

[I]f a state grants legally married spouses health care decision-making authority for each other, such that legally married spouses are personal representatives under the HIPAA Privacy Rule, the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records.

More information from OCR on HIPAA and marital status can be found here. General guidance about when HIPAA permits disclosures to family members, friends, and others involved in a patient’s care or payment for care can be found here.

If you have any questions regarding these or any other HIPAA issues, please contact your Vorys health care attorney.

For the first time in nearly thirty years, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) has updated the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 C.F.R. Part 2). On January 18, 2017, SAMHSA published the Final Rule amending 42 C.F.R. Part 2. The changes were set to be effective February 17, 2017, but as discussed in greater detail below, the effective date has been delayed until no sooner than March 21, 2017.

On October 22, 2013, Presence Health discovered that paper-based operating room schedules containing the PHI of 836 individuals were missing from the Presence Surgery Center at Presence St. Joseph Medical Center. However, it was not until January 31, 2014 — 101 days after its discovery — that Presence Health notified HHS of the breach. Following an investigation, OCR found that Presence Health failed to notify affected individuals until February 3, 2014 (104 days after discovery), and media outlets until February 5, 2014 (106 days after discovery).

These notifications were untimely. According to OCR Director Jocelyn Samuels:

Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements. Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.

This settlement is an important reminder of the importance of ensuring timely breach notification. As provided in the HIPAA Breach Notification Rule, covered entities, upon discovery of a breach of unsecured PHI, may have up to three separate notification obligations, depending upon the number of affected individuals:

Individual Notification: For all breaches, notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery.

Media Notification: For breaches affecting more than 500 residents of a State or jurisdiction, notify prominent media outlets serving the State or jurisdiction without unreasonable delay and in no case later than 60 calendar days after discovery.

HHS Notification:

For breaches affecting 500 or more individuals, notify HHS via its web portal contemporaneously with the individual notification.

For breaches affecting fewer than 500 individuals, notify HHS via its web portal not later than 60 days after the end of the calendar year.

If you have any questions about breach notification or other health information privacy and security issues, please contact your Vorys health care attorney.

A fact sheet released December 20 by the Health and Human Services Office for Civil Rights and the Office of the National Coordinator for Health Information Technology explains a number of hypothetical scenarios in which protected health information (PHI) may be shared in support of public health activities or other important public health policies. Under HIPAA, a number of regulatory provisions permit use and disclosure without patient authorization. Using and disclosing PHI for public health activities is one such provision. While this guidance does not change the existing HIPAA regulatory scheme, it provides a number of scenarios exemplifying some more common uses and disclosures for public health activities. A brief synopsis follows below.

On November 28, 2016, the Office for Civil Rights (OCR) issued an alert to providers and business associates monitoring their email for OCR audit communications. According to OCR, a phishing email disguised as an official communication from the Department of Health and Human Services (HHS) and claiming to be signed by OCR’s director Jocelyn Samuels has been circulated. The email instructs recipients to click a link regarding inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program but redirects to a non-governmental firm marketing its cybersecurity services. The email and the firm are not in any way connected to OCR, HHS, or the HIPAA audits. OCR asks that any questions regarding communications that you may receive purporting to be from HHS or OCR concerning the HIPAA audits be directed to OSOCRAudit@hhs.gov.

The Office for Civil Rights (OCR) has announced two more significant HIPAA settlements involving covered entities. Both settlements were the result of investigations triggered by breach reports involving laptop thefts. And as is often the case, the investigations uncovered numerous HIPAA compliance issues above and beyond those which led to the breach.

North Memorial Health Care of Minnesota (North Memorial) reached a $1.55 million settlement and corrective action plan with OCR related to allegations that it, in the words of OCR Director Jocelyn Samuels, overlooked “two major cornerstones of the HIPAA Rules.” OCR began its investigation following receipt of a breach report in September, 2011, which indicated that an unencrypted, password protected laptop containing electronic protected health information (e-PHI) of approximately 9,000 patients was stolen from a locked vehicle belonging to an employee of a hospital business associate. OCR’s investigation uncovered that North Memorial’s business associate had access to its hospital database containing electronic protected health information (e-PHI) of more than 289,000 patients in order to perform payment and operations activities on its behalf. However, North Memorial failed to require the business associate to enter into a business associate agreement. Additionally, OCR noted that North Memorial did not complete a comprehensive and accurate risk analysis, continuing the trend from OCR’s enforcement action in 2015.

The other recent enforcement involved OCR agreeing to a $3.9 million settlement and “substantial” corrective action plan with the Feinstein Institute for Medical Research (Feinstein). The investigation into Feinstein followed a breach report in September, 2012, indicating that a laptop containing e-PHI of approximately 13,000 research participants was stolen from an employee’s car. OCR’s investigation exposed significant problems with Feinstein’s security management process, and further found that Feinstein did not have appropriate policies and procedures and other safeguards in place to protect e-PHI. Following this settlement, OCR Director Jocelyn Samuels offered a reminder to providers:

Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities. For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.

These investigations and settlements offer a number of key takeaways:

Covered entities should regularly inventory their roster of business associates, and consider auditing those with access to large quantities of PHI.

Security risk assessments are at the top of regulators’ checklists, and as a result are critical to demonstrating HIPAA compliance.

Following a breach report, covered entities and business associates should take the opportunity to reexamine its HIPAA compliance – including conducting a security risk assessment; reviewing and updating policies and procedures; and re-training workforce members.

On Monday, the Office for Civil Rights (OCR) announced the long-awaited launch of Phase 2 of its HIPAA Audit Program. OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to establish a permanent compliance audit program for HIPAA covered entities and their business associates. OCR completed the first phase of testing for the audit program in 2012 when it audited 115 covered entities, but it had yet to establish a permanent program until now.

OCR will begin Phase 2 by sending pre-audit questionnaires to both covered entities and business associates to determine potential audit pools. Covered entities and business associates will be included in the pre-audit questionnaires even if they do not provide updated contact information upon request from OCR. In its press release, OCR indicated that the Phase 2 Audits will focus on desk reviews of HIPAA Privacy, Security, and Breach Notification Rules policies and procedures, although some on-site reviews will be conducted. OCR anticipates publishing an updated audit protocol to assist organizations with conducting their own internal self-audits as part of their HIPAA compliance activities. These desk audits are scheduled to be completed by December, 2016.

The announcement of Phase 2 implementation follows an increase of $4 million in OCR’s budget from its 2016 budget, part of which was earmarked for Phase 2 audits. OCR will direct approximately $1.5 million of the requested $4 million budget increase towards the audit program, giving it an estimated $9.2 million budget. In the Fiscal Year 2017 budget justification presented to the House of Representatives Appropriations Committee, OCR Director Jocelyn Samuels noted that the audit program would support OCR’s “compliance and enforcement mission by proactively and systematically measuring industry compliance with HIPAA requirements.” Previously, OCR’s approach to compliance was primarily reactionary, targeting covered entities only in response to complaints. Ms. Samuels indicated that the additional funding for the permanent phase of the audit program will enable OCR to take a “proactive and systemic look at industry compliance successes and struggles” outside the context of a privacy breach incident, and will help “generate analytical tools and methods for entity self-evaluation.”

Look for upcoming posts providing more details on the Phase 2 Audit Program.

The U.S. Substance Abuse and Mental Health Services Administration (SAMHSA) recently published a proposed rule which would amend the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, found in 42 C.F.R. Part 2. The confidentiality provisions were promulgated in 1975, and last amended substantively in 1987, prior to new models of integrated care built upon a foundation of information sharing, the development of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement within the health care system. SAMHSA’s long awaited proposed rule seeks to modernize the confidentiality provisions to better reflect the current treatment system, particularly with respect to ease of transferring records and patient information, while still maintaining privacy protections for those receiving substance use treatment.

The current regulations protect patient records and information relating to substance use treatment received at a federally assisted substance use program. Generally, any disclosure of identifiable data reflecting substance use treatment without express written consent from the individual is prohibited. In its proposed rule, SAMHSA states that while privacy concerns have not lessened, it believes that changes to the regulations are necessary to “better align them with advances in the U.S. health care delivery system,” and ensure that patients receiving treatment for substance use disorders are able to participate and benefit from new integrated care models which promote health care quality and reduce costs. SAMHSA also notes that improvements in health care technology would allow providers to separate portions of a patient’s record to reflect consent preferences for substance use treatment information within the electronic health records or health information exchanges allowing for easier information sharing while still maintaining compliance with 42 C.F.R. Part 2.

In addition to revisions to certain definitions so as to make the regulations “more understandable and less burdensome,” SAMHSA’s most significant proposed change addresses the consent section of the regulations. Currently, the regulations require that a consent form include the name or title of the individual or the name of the organization to which disclosure is to be made as part of the patient’s written consent to the disclosure. In response to stakeholder concern that the current requirements for sharing patient records covered by Part 2 deter patients from participating in HIEs, ACOs, and other similar organizations, SAMHSA proposes that the “to whom” section of the consent disclosure form could include a more generalized description of entities that would be permitted to receive patient information. The proposed rule would also require that patients receive and sign a statement indicating that they understand the terms of their consent and to whom their information may be released.

Comments on the rule will be accepted through April 11. These changes will take effect beginning 180 days after the publication of the final rule, unless otherwise noted. HHS’s press release may be accessed here and the full text of the proposed rule may be accessed here.

Earlier this month, a bipartisan group of Senators introduced legislation designed to expand the use of telehealth and remote monitoring services in Medicare by removing numerous barriers to reimbursement.

Senate bill S.2484, known as The Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act, would create a program that would waive Medicare requirements that certain telehealth services occur at designated sites. The bill would also expand the categories of providers eligible to perform and be reimbursed for telehealth services. Currently, Medicare reimbursement for telehealth services is available only for limited provider types, located in certain “distant sites,” and treating patients located at certain “originating sites” in designated geographic regions.

The CONNECT for Health Act would allow qualifying providers participating in alternative Medicare payment models through Medicare to use remote patient monitoring (RPM) to monitor patients with chronic conditions without the current Medicare restrictions. The bill would permit more “originating sites,” including dialysis centers and Native American health service facilities, and would permit more telehealth and RPM in community health centers and rural health clinics.